Enhanced wireless network security using GPS

ABSTRACT

A wireless piconet network device includes a GPS receiver to determine and provide earth coordinates to a gatekeeper of a wireless network so as to provide a level of security to wireless networks which requires accessing wireless devices to be within predefined boundary coordinates. The automatic restriction of access to a wireless network (e.g., a wireless local area network (LAN) such as a piconet network) by requiring a wireless network device to provide earth coordinates (e.g., GPS location information) as part of an establishment or maintenance of a connection to a wireless network, independent of a range of communication of any device in the wireless network. A wireless piconet network device outside of predetermined earth coordinates of a secured area (e.g., a building, a room in a building, a desk in a room in a building, etc.) may be denied access to resources on the wireless network, and/or required to provide additional authorization information so as to confirm authorized secured status of the entering wireless device.

This is a continuation of application Ser. No. 09/759,527, filed Jan.16, 2001, now issued as U.S. Pat. No. 7,058,358, the disclosure thereofbeing incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates generally to wireless networks. Moreparticularly, it relates to improved security apparatus and techniquesfor wireless networks, particularly piconet type networks such as aBLUETOOTH™ conforming piconet network.

2. Background

Conventional secured networks have been wired networks physicallyconnecting a plurality of network devices. Such networks areconventionally secured with authorization of one or more passwords inputby a user of a particular network device.

A wired network connection affords a reasonable level of security inthat the user must be inside a building to connect to the network.However, when expanding a network to include wireless connectivity,wireless connections to the network do not inherently have the samephysical restrictions to access that wired connections do.

Piconet networks, or small, short range wireless networks, are beingformed by more and more devices in many homes and offices. Inparticular, a popular piconet standard is commonly referred to as aBLUETOOTH™ piconet. Piconet technology in general, and BLUETOOTHtechnology in particular, provides peer-to-peer communications overshort distances.

The wireless frequency of piconets may be 2.4 GHz as per BLUETOOTHstandards, and/or typically have a 30 to 300 foot range. The piconet RFtransmitter may operate in common frequencies which do not necessarilyrequire a license from the regulating government authorities, e.g., theFederal Communications Commission (FCC) in the United States.Alternatively, the wireless communication can be accomplished withinfrared (IR) transmitters and receivers, but this is less preferablebecause of the directional and visual problems often associated with IRsystems.

A plurality of piconet networks may be interconnected through ascatternet connection, in accordance with BLUETOOTH protocols. BLUETOOTHnetwork technology may be utilized to implement a piconet wirelessnetwork connection (including scatternet). The BLUETOOTH standard forpiconet wireless networks is well known, and is available from manysources, e.g., from the web site www.bluetooth.com.

Short range wireless connections such as those offered by piconets ingeneral, and BLUETOOTH conforming piconets in particular, while havingmany advantages provided by wireless connectivity, also inherently havedistinct disadvantages from wired connections. For instance, a personjust outside the building, but still in range of the short rangewireless network (e.g., 802.11, BLUETOOTH etc.) could gain access to aninternal wireless server from outside the building but still within therange of the short range wireless network.

FIG. 6 depicts an exemplary secured building 510 including a network ofexemplary wireless devices 500, 502, with connectivity accessinadvertently provided to an unauthorized wireless device 504.

In particular, as shown in FIG. 6, an exemplary short range wirelessnetwork is established within the confines a building 510. In the givenexample, wireless connectivity is established between an enteringwireless device, e.g., BLUETOOTH piconet device 502, or 802.11bcompliant device, whereupon a password entered by a user of the enteringwireless device 502 is authorized by a piconet security server 500.However, in the given example, an unauthorized wireless device 504 lurksoutside the secured building, but within the short range of at least onewireless network device within the building, unbeknownst to the wirelessnetwork administrator. Unfortunately, while the unauthorized wirelessdevice 504 may still be required to input a properly authorized passwordto allow access to resources on the wireless network, a first layer ofsecurity has already been breached by allowing the unauthorized wirelessdevice 504 the ability to receive wireless transmissions in the shortrange wireless network.

In such a scenario, since connectivity access to the secured network maybe obtained from a location outside of the secured building, the networksecurity relies entirely on the password strategies for the particularnetwork. However, this may be problematic in certain higher securityapplications because access may be gained external to the securedbuilding using, e.g., stolen access codes.

Previous attempts to provide security to wired network devices includeddial up access techniques using one or more passwords or even constantlychanging passwords to prevent unauthorized access. However, dial upaccess techniques do not address specific challenges of wireless accessto secure servers. Moreover, dial up security solutions in a wirelessworld would require all users inside the secured building to go throughexcessive security steps which simply add layers of password typestrategies.

There is a need for an apparatus and technique which allows wirelessdevices, and in particular wireless BLUETOOTH piconet devices, to beimplemented in secure environments allowing secure communications whichprevent unauthorized communications within range of the piconet devices.

SUMMARY OF THE INVENTION

In accordance with the principles of the present invention, a wirelesspiconet device comprises a wireless piconet front end, and a GPSreceiver in communication with the wireless piconet front end.

In accordance with another aspect of the present invention, a wirelesspiconet server comprises a wireless piconet front end. An earthcoordinates authorization module determines authority of a received setof coordinates to gain access to a wireless network. Boundarycoordinates correspond to a predetermined secured area for access to thewireless network.

A method of authorizing a wireless piconet network device to gain accessto a wireless network in accordance with yet another aspect of thepresent invention comprises receiving a set of earth coordinates fromthe wireless piconet network device. The received set of earthcoordinates are compared to predetermined boundaries of a secured area.If the received set of earth coordinates are within the predeterminedboundaries of the secured area, the wireless piconet network device isauthorized to gain access to the wireless network.

BRIEF DESCRIPTION OF THE DRAWINGS

Features and advantages of the present invention will become apparent tothose skilled in the art from the following description with referenceto the drawings, in which:

FIG. 1 depicts two piconet wireless network devices, one within asecured building permitted to have authorized access to the wirelessnetwork in the secured building, and another external to a securedbuilding and not permitted to have authorized access to the wirelessnetwork in the secured building, in accordance with the principles ofthe present invention.

FIG. 2 shows an exemplary piconet wireless network device including aBLUETOOTH piconet front end and Global Positioning System (GPS) receiverfor providing location information for security authorization purposes,in accordance with the principles of the present invention.

FIG. 3 shows an exemplary wireless piconet security server capable ofauthorizing earth coordinates of another wireless network device and/ora password, in accordance with the principles of the present invention.

FIG. 4 shows an exemplary process flow of authorization of a piconetwireless network device within defined absolute earth coordinates, inaccordance with the principles of the present invention.

FIG. 5 shows another application of piconet wireless devices includingGPS capability allowing exchange of certain data (e.g., business carddata) when within a particularly defined region (e.g., conference room),in accordance with the principles of the present invention.

FIG. 6 depicts an exemplary secured building including a network ofexemplary wireless devices, with connectivity access inadvertentlyprovided to an unauthorized wireless device.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

The present invention relates to the automatic restriction of access toa wireless network (e.g., a wireless local area network (LAN) such as apiconet network) by requiring a wireless network device to provide earthcoordinates (e.g., GPS location information) as part of an establishmentor maintenance of a connection to a wireless network, independent of arange of communication of any device in the wireless network. Thus, inaccordance with the principles of the present invention, a wirelesspiconet network device outside of predetermined earth coordinates of asecured area (e.g., a building, a room in a building, a desk in a roomin a building, etc.) may be denied access to resources on the wirelessnetwork, and/or required to provide additional authorization informationso as to confirm authorized secured status of the entering wirelessdevice.

FIG. 1 depicts two piconet wireless network devices, one within asecured building permitted to have authorized access to the wirelessnetwork in the secured building, and another external to a securedbuilding and not permitted to have authorized access to the wirelessnetwork in the secured building, in accordance with the principles ofthe present invention.

In particular, FIG. 1 shows the perimeter of a secured building 210,including a short range wireless (e.g., BLUETOOTH piconet) securityserver 200, and an authorized wireless piconet network device 100 a. Inaccordance with the principles of the present invention, the authorizedwireless piconet network device 100 a includes a Global PositioningSatellite (GPS) receiver 106 a suitable for receiving information as abasis for determining earth coordinates of the relevant wireless piconetnetwork device 100 a.

The global positioning system (GPS) is a worldwide radio-navigationsystem formed from a constellation of 24 satellites and their groundstations. GPS uses these “man-made stars” as reference points tocalculate positions accurate to a matter of meters. In fact, withadvanced forms of GPS location measurements are achievable to betterthan one centimeter. In recent years, GPS receivers have beenminiaturized to just a few integrated circuits and thus are becomingvery economical. The GPS receivers 106 a, 106 b shown in FIG. 1 areconventional. Information about GPS receivers is well known, andavailable, e.g., at www.trimble.com/gps/howgps/gpsfram2.htm, which inits entirety is explicitly incorporated herein by reference.

The GPS receiver 106 a may be a separate module in communication withthe piconet front end of the relevant wireless piconet network device100 a, or may be integrated within the wireless piconet network device100 a to reduce the chance of faking the coordinates.

In accordance with the principles of the present invention, the earthcoordinates determined based on the GPS receiver 106 a are forwarded tothe piconet security server 200 or other network device to determinewhether or not the earth coordinates forwarded by the wireless piconetnetwork device 100 a correspond to a secured area, e.g., to an areainternal to the boundary defined by the four walls of the perimeter 210.Of course secured areas may include any shaped area, in both two- andthree dimensions.

Also shown in FIG. 1 is an unauthorized wireless piconet network device100 a potentially attempting to communicate with devices in the wirelesspiconet network within the secured area defined internal to theperimeter 210. However, in accordance with the principles of the presentinvention, the unauthorized wireless piconet network device 100 b willdetermine either GPS coordinates which will not be within the securedareas coordinates stored in the piconet security server 200, or will bea network device which does not include a GPS receiver at all. In eithercase, authorization will be denied by devices within the wirelesspiconet network, and thus an additional level of security relating tophysical location of the communicating wireless device will not havebeen breached, providing increased security protection.

The wireless piconet network device 100 may be virtually any deviceincluding a short range wireless front end (e.g., a BLUETOOTH piconetfront end). For instance, the wireless piconet network device 100 maybe, e.g., a computer, personal digital assistant (PDA), printer,scanner, cell phone, etc.

In accordance with the principles of the present invention, while awireless piconet network device 100 attempts to gain access to awireless network service (e.g., a BLUETOOTH compatible piconet printer,LAN access), the BLUETOOTH application in the wireless piconet networkdevice 100 determines and then passes its earth coordinates (e.g., GPSlocation), typically accurate to a few meters (or even centimeters usingDifferential GPS), along with any other required authenticationinformation to the wireless network, e.g., to the piconet securityserver 200. A suitable application in the relevant gatekeeper of thewireless network will determine whether or not the received GPS locationis within a predefined secured, authorized access area. If the receivedGPS location is within the authorized access area, access is granted. Ifoutside the authorized access area, access may be denied. Alternatively,if outside the authorized access area, further authenticationinformation may be requested of the entering wireless piconet networkdevice 100. Once authorized, a device may be permitted to wander outsidethe secured area, or not.

The authorized area may be defined in any suitable manner. For instance,it may be defined as internal to a particular perimeter 210 as shown inFIG. 1, or it may simply be a specified distance from a particular point(e.g., within a circle) less than a given range of the wireless network.

FIG. 2 shows an exemplary piconet wireless network device including aBLUETOOTH piconet front end and Global Positioning System (GPS) receiverfor providing location information for security authorization purposes,in accordance with the principles of the present invention.

In particular, FIG. 2 shows a more detailed embodiment of a wirelesspiconet network device 100, including a BLUETOOTH piconet front end 102,a GPS receiver 106, and a suitable processor communicating with both theBLUETOOTH piconet front end 102 and the GPS receiver 106. The processor108 may be, e.g., a microprocessor, a microcontroller, ASIC, or adigital signal processor (DSP). Also, the processor 108 may beintegrated within the GPS receiver 106 and/or the BLUETOOTH front end102 such that as few as one processor may be required within thewireless piconet network device 100.

Also shown in FIG. 2 is a password entry device 104, e.g., a keyboard,allowing the user to input a password for forwarding to the piconetsecurity server 200 and authorization of wireless network access.

FIG. 3 shows an exemplary wireless piconet security server capable ofauthorizing earth coordinates of another wireless network device and/ora password, in accordance with the principles of the present invention.

In particular, as shown in FIG. 3, the exemplary wireless piconetsecurity server 200 includes a BLUETOOTH front end 630, a suitableprocessor 610 (e.g., a microprocessor, a microcontroller, or a DSP), andan earth coordinates authorization module 600. The wireless piconetsecurity server 200 may further include a password authorization module620.

The earth coordinates authorization module 600 may be, e.g., anapplication program operating on the processor 610. The earthcoordinates authorization module 600 accesses predetermined boundaryearth coordinates 602 defining the secured area (or areas). Received GPSlocation coordinates received from wireless piconet network devicesrequesting authorization are compared to the boundary coordinates 602 bythe earth coordinates authorization module 600 to determine whether ornot the requesting wireless piconet network device is within thepredetermined secured area. If so, then authorization is allowed toproceed. If not, the requesting wireless piconet network device isdenied access to resources on the wireless network. Depending upon theparticular application, a denied request might indicate that the reasonfor denial is outside of the secured area.

The wireless piconet security server 200 may also include the passwordauthorization module 620 and associated database storage ofpre-authorized passwords 622. The password authorization module 620compares passwords received from requesting wireless piconet networkdevices to determine whether or not the password is authorized.

The wireless piconet security server 200 may determine authorizationusing earth coordinates before using a password received from therequesting wireless piconet network device, or after using the password,within the scope of the present invention.

FIG. 4 shows an exemplary process flow of authorization of a piconetwireless network device within defined absolute earth coordinates, inaccordance with the principles of the present invention.

In particular, step 402 of FIG. 4 shows the new presence of a wirelesspiconet network device in a piconet wireless network.

Step 404 shows the presentation of a password from the wireless piconetnetwork device 100 to the wireless piconet security server 200. Ofcourse, the GPS location may be checked first, and then the passwordverified, within the scope of the present invention.

In step 406, the wireless piconet security server 200 determines whetheror not the supplied password is among those stored in the authorizedpassword database 622. If not, the wireless piconet network device isdisapproved, as shown in step 414, and the process ends. The network mayor may not ignore further communications from the disapproved wirelesspiconet network device, depending upon the particular application.

However, if the password is approved in step 406, the process mayproceed to check the supplied GPS earth coordinates against securedareas defined by boundary coordinates 602.

In particular, as shown in step 408, the GPS location informationdetermined by the requesting wireless piconet network device ispresented to the wireless piconet security server 200.

In step 410, the earth coordinates authorization module 600 determineswhether or not the earth coordinates supplied by the requesting wirelesspiconet network device are within the predetermined secured area(s). Ifnot, the process disapproves the requesting wireless piconet networkdevice 100 as shown in step 414, and the process ends.

However, if the received earth coordinates are within an area defined bythe boundary coordinates 602, then the requesting wireless piconetnetwork device 100 is granted access to the wireless network.

In a preferred embodiment, the earth coordinates are periodically,and/or upon demand of the wireless piconet security server in a pollingscenario, provided to the wireless piconet security server to determinewhether or not the relevant wireless piconet network device remainswithin the secured area defined by the boundary coordinates 602. If not,access is preferably terminated, at least until the wireless piconetnetwork device re-authorizes its presence in and access to the wirelessnetwork.

The password provided by the wireless piconet network device may beinput by the user, or may be pre-set in the wireless piconet networkdevice.

The boundary coordinates 602 may be established using a configurationroutine which receives GPS coordinates relating to extreme boundaries ofthe secured area as a person walks a suitable wireless piconet networkdevice along the perimeter of the secured area.

In an alternative embodiment, a wireless piconet network device maydetermine whether or not there are multiple short range wirelessservices detected within range. For instance, when a wireless piconetnetwork device discovers that there are multiple similar services withinrange, it may access the wireless network which has a communicatingdevice which is physically closest. Alternatively, using prior knowledgeof walls or other obstacles, it may automatically access the wirelessservice provider whose RF signal is the least obstructed.

FIG. 5 shows another application of piconet wireless devices includingGPS capability allowing exchange of certain data (e.g., business carddata) when within a particularly defined region (e.g., conference room),in accordance with the principles of the present invention.

In particular, another use for GPS in a piconet wireless is to implementa piconet front end (e.g., a BLUETOOTH piconet front end) on a PDAdevice. Then, in a given scenario, a feature may allow a user's PDA toexchange business card information with others automatically, but, e.g.,only within the walls of a convention. This requirement can beimplemented as an enhancement to the Generic Object Exchange Profilefound in BLUETOOTH specifications.

As shown in FIG. 5, a conference room 304 includes a server 372including a wireless piconet (e.g., BLUETOOTH) front end, and a database300 including information to be exchanged between conferenceparticipants (e.g., business card type information, servicedescriptions, exhibited product information, etc.)

Conference participants each have a wireless piconet network device 100(e.g., PDA devices) including information to be exchanged with otherconference participants. Each wireless piconet network device 100includes a suitable exchange information database 340 a-340 c, whichestablishes a presence on a piconet network after entering the doorwayof the conference room 304 at least long enough to synchronize exchangeinformation databases 300, 340. In the given example, passwordauthorization is not required: only earth coordinate information.

Thus, using a PDA with a BLUETOOTH piconet front end and an exchangeinformation database 340 which is synchronized with another exchangeinformation database 300, while a user is outside a convention buying anewspaper, exchange information remains private to the user's PDA.However, once the user enters the convention area, information such asbusiness card information, etc., may be exchanged with a suitable server372 allowing relevant exchange information databases 300, 340 to beappropriately synchronized. When a user leaves the convention, their PDAmay again be synchronized with exchange information.

The earth coordinates of the convention area or other defined exchangearea may be established by, e.g., walking the perimeter of the relevantarea and storing periodic boundary coordinates. Alternatively, theappropriate coordinates may be published by the convention organizersbeforehand for PDA users to input into their own PDA devices.

Shared exchange information can be based on GPS location coordinates ofthe relevant wireless piconet network devices and/or based on the earthcoordinates of another wireless piconet network device requesting theexchange information.

Accordingly, the utilization of earth coordinates with a wirelesspiconet network device provides an additional level of security forwireless network connections, and provides greater control over privacyof information, while requiring minimal user input.

While the use of actual coordinates are shown and described in the givenembodiments, the present invention relates equally to the use of anactual vector distance determined by a distance between earth coordinatelocations of two separate wireless piconet network devices, within thescope of the present invention.

While the embodiments of the present invention are described and shownwith reference to absolute earth coordinates determined by a GPSreceiver, other coordinate or location determining technology may beimplemented within the principles of the present invention. Forinstance, the present invention relates equally to the use of cell towertriangulation in determining a location of a particular wireless device.

While the invention has been described with reference to the exemplaryembodiments thereof, those skilled in the art will be able to makevarious modifications to the described embodiments of the inventionwithout departing from the true spirit and scope of the invention.

1. A method of authorizing a wireless network device to gain access to awireless network, comprising: establishing a physical boundary definingan area of authorized access to the wireless network by performing thesteps of i) traversing a perimeter of said area of authorized accesswith a first wireless network device, and ii) transmitting a pluralityof boundary coordinates from said first wireless network device whensaid wireless network device is in each corresponding location on theperimeter of said area of authorized access; receiving a set of earthcoordinates from a second wireless network device, wherein the earthcoordinates correspond to a location of the second wireless networkdevice; comparing said received set of earth coordinates to theestablished physical boundary of the area of authorized access to awireless network; determining, by an authorization module, if saidreceived set of earth coordinates are within said boundary of said areaof authorized access; and authorizing said second wireless networkdevice to gain access to said wireless network based on said receivedset of earth coordinates.
 2. The method of authorizing a wirelessnetwork device to gain access to a wireless network according to claim1, further comprising: determining, by a password authorization module,an authority of said second wireless network device to gain access tosaid wireless network.
 3. The method of authorizing a wireless networkdevice to gain access to a wireless network according to claim 1,wherein: said earth coordinates are received from said wireless networkdevice over said wireless network.